Data breaches can be costly – so costly, in fact, that they can turn a business’s bottom line into a roller coaster of emotion, ranging from shock and dismay to tears of dollars! But with a robust privacy and security program in place, businesses can reduce the likelihood of a data breach and the financial impact that comes with it.
In this episode:
Data breach costs can be huge – Ep 395
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[06:59] We got a question about accepting patient payments on your website.A web designer will tell you that they can absolutely set your site up to take payments from patients. But they often don’t think about your compliance obligations. They don’t think they have to worry about HIPAA and PHI or even know it is a thing for their healthcare clients. Web designers use many tools to create and run your website, including taking patient payments. You need to know where the data is coming from, what data is requested to complete the payment transaction, where that information is going, how it is getting there and who has access to it? Do your risk analysis folks!
Listen to our recent podcast Spitballing Website Tracking – Ep 390 to hear us discuss the kinds of things that can be happening with your website behind the scenes.
Data Breach Costs Can Be Huge!
[13:12] News came out this week about a new zero day vulnerability that is being used to attack health systems. The latest victim is Community Health Systems (CHS) who confirmed 1 million patients were impacted. The zero day is in a file-transfer software called GoAnywhere MFT, developed by Fortra (previously known as HelpSystems). There is an emergency patch for the software but everyone hasn’t loaded it yet.This news comes out around the same time BleepingComputer reported that the Clop ransomware gang had “claimed” they breached 130 different organizations using that GoAnywhere MFT software. This Clop gang has been able to take advantage of zero day vulnerabilities for years. Back in 2020, they were the ones who hit users of Accellion’s FTP transfer application to breach a lot of organizations. They also recently “announced” they have a new Linux variant allowing them to attack those servers too.
These gangs often brag and embellish, but what if they only got half that number. It is still a large number of organizations to have data exfiltrated and/or ransomware launched to shut them down.
These attacks will continue as we have said many times. There is no reason at all to believe there is any relief from the attackers on the horizon. The costs of these attacks can be massive even when you don’t pay them. Sometimes, paying them seems like the cheapest route, but as we have said many times, that is often not the case.
[29:46] An example of the huge costs is what is happening with CommonSpirit Health, an Illinois-based non-profit health system, which has been playing out since October. A ransomware attack brought down their operations and exposed data of 623,774 patients. This operation is huge, operating 140 hospitals and over 1,000 “care sites” in 21 states.That attack kept many systems down and operating without access for days or weeks depending on the area you worked in at the time. We started seeing the class actions in Jan and they recently announced their financial reports which mentioned the cyberattack.
They had $451 million in operating losses for the six-month period ending Dec. 31. They estimated costs from its October cybersecurity event at approximately $150 million. That is just so far in their estimates not counting the legal issues and investigation costs that are ongoing. So 33% of the total loss and one has to ask how much that loss created parts of the remaining $300 million?
Costs of Not Doing Business
[35:33] Healthcare Sector DDoS Guide was released Feb 13. Grab a copy to understand DDoS and how it impacts healthcare. They created that guide to help the industry understand what to do with these attacks because they had previously published this one: Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector that says:These attacks may not take the data but the data will be unavailable. Part of the CIA we are supposed to address. When you have no access to the Internet at all how well can you operate your business?
There is a lot to worry about and consider when trying to maintain the confidentiality, integrity and availability of your data and resources. Developing a privacy and security program is not easy and, contrary to many “HIPAA made easy” vendors out there, it can’t be done in 3 days or a week. Developing a robust privacy and security program takes time and is a consistent effort to maintain.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
